George J. Annas, JD, MPH
Leonard H. Glantz, JD
Patricia A. Roche, JD
Health Law Department; Boston University School of Public
Health; 80 East Concord Street; Boston, MA 02118
Tel. (617) 638-4626; FAX: (617) 638-5299; email: annasgj@bu.edu
The Genetic Privacy Act and Commentary is also the Final Report of a project entitled "Guidelines for Protecting Privacy of Information Stored in Genetic Data Banks" which was funded by the Ethical, Legal & Social Implications of the Human Genome Project, Office of Energy Research, U.S. Department of Energy, No. DE-FG02-93ER61626
Additional support was provided by Boston University School of Public Health
February 28, 1995
The Genetic Privacy Act is a proposal for federal legislation. The Act is based on the premise that genetic information is different from other types of personal information in ways that require special protection. The DNA molecule holds an extensive amount of currently indecipherable information. The major goal of the Human Genome Project is to decipher this code so that the information it contains is accessible. The privacy question is, accessible to whom?
The highly personal nature of the information contained in DNA can be illustrated by thinking of DNA as containing an individual's "future diary."[1] A diary is perhaps the most personal and private document a person can create. It contains a person's innermost thoughts and perceptions, and is usually hidden and locked to assure its secrecy. Diaries describe the past. The information in one's genetic code can be thought of as a coded probabilistic future diary because it describes an important part of a unique and personal future.
Genetic information is powerful and personal. As the genetic code is deciphered, genetic analysis of DNA will tell us more and more about a person's likely future, particularly in terms of physical and mental well-being. The search for genetic information often involves locating predictors of undesirable and stigmatizing conditions - such as cancers, and conditions that lead to mental illness and dementia. This information is uniquely sensitive for a number of reasons. First, unlike ordinary diaries that are created by the writer, the information contained in the genetic code is largely unknown to the person in whose genetic material it is found. Therefore, if this information is obtained by someone else without the individual's permission, another person would learn intimate details of the individual's likely future life. A stranger could, in effect, read the future diary of an individual without the individual even knowing that the diary exists. There are many people, including insurers and employers, to whom information about an individual's likely health future would be useful.[2]
Second, deciphering an individual's genetic code also provides the reader of that code with probabilistic health information about that individual's family, especially parents, siblings and children. Third, since the DNA molecule is stable, once removed from a person's body and stored, it can become the source of an increasing amount of information as more is learned about how to read the genetic code. Finally, genetic information (and misinformation) has been used by governments to viciously discriminate against those perceived as genetically unfit.
DNA Databanks
We originally proposed drafting legislation to regulate DNA databanks. We thought of DNA databanks as entities that collected, stored, analyzed and controlled DNA samples and information derived from DNA samples, although the term could also include entities that either only stored DNA samples or only stored information derived from genetic analysis.[3] Thinking of such databanks as holders of genetic information, like computerized medical records, James Watson has said, "The idea that there will be a huge databank of genetic information on millions of people is repulsive."[4]
Dr. Watson's statement expresses the concern of many people who distrust both computer technology and large, bureaucratic record-keeping systems, and perceive private genetic information as uniquely personal. Such distrust also flows from the realization that current confidentiality policies and practices, which supposedly safeguard personal medical information, are inadequate to protect private genetic information.[5] New rules for DNA databanks are needed to minimize the potential harm to individual privacy and liberty that the collection, storage and distribution of genomic information could produce, and to foster personally and societally useful applications of genetic information. As the U.S. House of Representatives Committee on Government Operations rightly concluded in its study of genetic information, such rules "will be more effective and less expensive to implement if established in advance."[6]
Our own analysis of the privacy issues implicated by DNA databanks has persuaded us that it is not feasible to protect genetic privacy by limiting regulation to places called DNA databanks. One reason is that it is difficult even to define precisely a DNA databank. Entities that only store medical records seem to qualify, but are not the major focus of concern regarding the new genetics. There are already many entities that store genetic materials, including the FBI and individual state programs that store DNA samples from convicted sex offenders and other criminals, the U.S. Army's DNA sample storage program, and private medical research projects. The FBI is primarily interested in using DNA to identify criminal suspects, while medical research programs might conduct future analysis of DNA samples to further decipher the genetic code. Other entities could qualify as DNA banks because they collect and store large amounts of biological material, even though they have no current intent to conduct genetic analysis. Such programs include the Red Cross and other blood banks, private sperm, ovum and embryo banks, and state facilities that store blood samples that have been used for phenylketonuria (PKU) testing.
Collection, Analysis and Storage of DNA and Genetic Information
Focusing solely on any or all of these types of DNA databanks assumes that the DNA samples have been legitimately obtained and analyzed, and the only issues are the proper storage of genetic information, and rules governing the disclosure of the genetic information by DNA databanks. But meaningful privacy protection must regulate the collection, analysis and storage of DNA samples, as well as the storage and disclosure of the genetic information derived from the analysis of these samples, no matter who performs that analysis. It is, after all, the DNA samples that contain the individual's private genetic information. Control of these samples enables the custodian to analyze and reanalyze them to derive increasing amounts of genetic information as new tests are developed. It is also possible to obtain biological material for the purpose of DNA analysis without the person knowing that such material was obtained or analyzed. For example, DNA can even be obtained from hair samples left on a barber's floor or from saliva found on a licked stamp.
Therefore, to effectively protect genetic privacy unauthorized collection and analysis of individually identifiable DNA must be prohibited. As a result, the overarching premise of the Act is that no stranger should have or control identifiable DNA samples or genetic information about an individual unless that individual specifically authorizes the collection of DNA samples for the purpose of genetic analysis, authorizes the creation of that private information, and has access to and control over the dissemination of that information.
The rules protecting genetic privacy must be clear and known to the medical, scientific, business and law enforcement communities and the public. The purpose of the Genetic Privacy Act is to codify these rules. It has been drafted as a federal statute to provide uniformity across state lines. However, the Act could be adopted by individual states and used as guidelines by professional societies, at least until such time as Congress acts.[7]
Under the Act, each person who collects a DNA sample (e.g., blood, saliva, hair or other tissue) for the purpose of performing genetic analysis is required to:
Special rules regarding the collection of DNA samples for genetic analysis are set forth for minors, incompetent persons, pregnant women, and embryos. DNA samples may be collected and analyzed for identification for law enforcement purposes if authorized by state law, and for identifying dead bodies, without complying with the authorization provisions of the Act. Research on individually identifiable DNA samples is prohibited unless the sample source has authorized such research use, and research on nonidentifiable samples is permitted if this has not been prohibited by the sample source. Pedigree research and research involving DNA from minors are also governed by specific provisions of the Act.
Individuals are prohibited from analyzing DNA samples unless they have verified that written authorization for the analysis has been given by the sample source or the sample source's representative. The sample source has the right to:
A written summary of these principles and other requirements under the Act must be supplied to the sample source by the person who collects the DNA sample. The Act requires that the person who holds private genetic information in the ordinary course of business keep such information confidential and prohibits the disclosure of private genetic information unless the sample source has authorized the disclosure in writing or the disclosure is limited to access by specified researchers for compiling data.
The Genetic Privacy Act protects individual privacy while permitting medical uses of genetic analysis, legitimate research in genetics, and genetic analysis for identification purposes.
Acknowledgements
This project had its genesis at a meeting in Cold Spring Harbor in November 1989 at which one of the drafters (GJA) gave a presentation on the privacy issues involved in DNA banking. Fourteen months later, he and Dr. Sherman Elias co-hosted an NIH-sponsored workshop in Bethesda, Maryland the purpose of which was to suggest a prioritized research agenda for the Ethical, Legal & Social Implications (ELSI) program of the Human Genome Project. Protecting genetic privacy was ranked as one of the two highest priority issues at that workshop (regulating the introduction of new genetic tests into clinical practice was ranked slightly higher). Shortly thereafter the Director of the ELSI program for the U.S. Department of Energy, Michael Yesley, asked us to draft guidelines to protect the privacy of individuals whose DNA was stored at DNA banks. We agreed, and began this project in June of 1993, with Dr. Daniel Drell of the U.S. Department of Energy (Health Effects and Life Sciences Research Division, Office of Health and Environmental Research, Office of Engergy Research) as the project monitor.
In the course of the first year of research we concluded that it was necessary to broaden the scope of the project, and presented the rationale for this change to the ELSI Working Group in June of 1994. They concurred. The first draft of the Genetic Privacy Act was completed in late September 1994, and presented to the ELSI Working Group in December 1994.
Many people, in addition to the members of the ELSI Working Group, contributed in substantial ways to the final product. These included our research assistants, Nan Elster, Sue Yeu, Chris Hager, and Alex Klickstein, as well as our support staff, especially the Administrative Coordinator of the Health Law Department, Marilyn Ricciardelli, and the Department's Secretary, Deborah Darling. The Director of the Boston University School of Public Health, Dr. Robert F. Meenan, was especially supportive of our work. We are grateful for the generous and thoughtful comments of our colleagues who reviewed drafts and provided needed insight to both legal and genetic issues. Sherman Elias was our primary genetics consultant, and his advice was invaluable. Robert Gellman's thoughtful comments and advice helped us to avoid many legislative drafting pitfalls. Lori Andrews worked especially hard to make sure we had taken all of the genetic privacy issues into account.
Others who provided valuable comments and input include Wendy Mariner, Michael Grodin, Philip Reilly, Jean McEwen, Wendy Parmet, Bernard Dickens, Margaret Somerville, Alan Westin, Judy Garber and Margaret Dreyfus. The final product, of course, is our responsibility.
George J. Annas
Leonard H. Glantz
Patricia Roche
Boston
February, 1995
File posted May 1995.